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Abstract 

A wide family of nonlinear sequence generators, the so-called clock- 
controlled shrinking generators, has been analyzed and identified with a 
subset of linear cellular automata. The algorithm that converts the given 
I I generator into a linear model based on automata is very simple and can 

P^ be applied in a range of practical interest. Due to the linearity of these 

r ) automata as well as the characteristics of this class of generators, a crypt- 

analytic approach can be proposed. Linear cellular structures easily model 
keystream generators with application in stream cipher cryptography. 

Keywords: Cellular automata, clock-controlled generators, sequence 
reconstruction, cryptography 
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^ 1 Introduction 

«y~. Cellular Automata (CA) are particular forms of finite state machines that can 

be investigated by the usual analytic techniques ([10], [IZ], [12] , [21] )■ CA have 
been used in application areas so different as physical system simulation, bio- 
^^ logical process, species evolution, socio-economical models or test pattern gen- 

T-H eration. They are defined as arrays of identical cells in an n-dimensional space 

and characterized by different parameters |26j : the cellular geometry, the neigh- 
borhood specification, the number of contents per cell and the transition rule 
to compute the successor state. Their simple, modular and cascable structure 
3 makes them very attractive for VLSI implementations. 

On the other hand. Linear Feedback Shift Registers (LFSRs) [TT] are linear 
structures currently used in the generation of pseudorandom sequences. The 
inherent simplicity of LFSRs, their ease of implementation and the good sta- 
tistical properties of their output sequences turn them into natural building 
blocks for the design of pseudorandom sequence generators with applications 
in spread-spectrum communications, circuit testing, error-correcting codes, nu- 
merical simulations or cryptography. 
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In recent years, one-dimensional CA have been proposed as an alternative to 
LFSRs ([2], [3], dU, HD) in the sense that every sequence generated by a LFSR 
can be obtained from one-dimensional CA too. In cryptographic applications, 
pseudorandom sequence generators currently involve several LFSRs combined 
by means of nonlinear functions or irregular clocking techniques (see [18j . |20jV 
Moreover in [21], it is proved that one-dimensional linear CA are isomorphic to 
conventional LFSRs. Thus, the latter structures can be simply substituted by 
the former ones in order to accomplish the same goal: generation of keystream 
sequences. 

The above class of linear CA has been found to satisfy randomness proper- 
ties with application in the testing of digital circuits. Built-in Self- Test (BIST) 
schemes and self-checking [57] . The current interest of these CA stems from the 
lack of correlation between the bit sequences generated by adjacent cells, see [9]. 
In this sense, linear CA are superior to the more common LFSRs [11] that have 
been traditionally used as pseudorandom pattern generators. Nevertheless, the 
main advantage of CA is that multiple generators designed as nonlinear struc- 
tures in terms of LFSRs preserve the linearity when they are expressed under 
the form of CA. 

This paper considers the problem of finding one-dimensional CA that re- 
produce the output sequence of a particular LFSR-based generator. More pre- 
cisely, in this work a wide class of LFSR-based nonlinear generators, the so- 
called Clock-Controlled Shrinking Generators (CCSGs) [T3], can be described 
in terms of one-dimensional CA configurations. Indeed, the well known Shrink- 
ing Generator [8] is just an element of such a class. The automata here presented 
unify in a simple structure the above mentioned class of sequence generators. 
The algorithm that converts a given CCSG into a CA-based linear model is 
very simple and can be applied to CCSGs in a range of practical interest. The 
underlying idea of this modelling procedure is the concatenation of a basic au- 
tomaton. Once the generators have been linearized, a cryptanalytic approach 
to reconstruct the generated sequence is also presented. 

The paper is organized as follows: in section 2, the basic structures consid- 
ered, e.g. one-dimensional CA and CCSGs, are introduced. A simple algorithm 
to determine the pair of CA corresponding to a particular shrinking generator 
and its generalization to Clock-Controlled Shrinking Generators are given in 
sections 3 and 4, respectively. A method of reconstructing the generated se- 
quence that exploits the linearity of the CA-based model is presented in section 
5. Finally, conclusions in section 6 end the paper. 

2 Basic Structures 

In the following subsections, we introduce the general characteristics of the basic 
structures we are dealing with: one-dimensional cellular automata, the shrinking 
generator and the class of clock-controlled shrinking generators. The work is 
restricted to CA and LFSRs with binary contents. In addition, all the LFSRs 
here considered are maximal-length LFSRs, that is their output sequences are 



PA^-sequences and their characteristic polynomials are primitive polynomials, 
see [H and dg. 

2.1 One-Dimensional Cellular Automata 

One-dimensional cellular automata can be described as L-cell registers [4] , whose 
cell contents are updated at the same time instant according to a particular k- 
variable function (the transition rule) denoted by $. If the function $ is a linear 
function, so is the cellular automaton. In addition, for cellular automata with 
binary contents there can be up to 2^ different mappings to the next state. 
Moreover, if fc = 2r + 1, then the binary content of the i-th cell at time t + 1 
depends on the contents of k neighbor cells at time t in the following way: 

x*+i = $(x*_,, . . . , X*, . . . , xl^^) {i = 1, ..., L). (1) 

The number of cells L (numbered from left to right) is the length of the 
automaton. CA are called uniform whether all cells evolve under the same rule 
while CA are called hybrid whether different cells evolve under different rules. 
At the ends of the array, two different boundary conditions are possible: null 
automata when cells with permanent null contents are supposed adjacent to the 
extreme cells or periodic automata when extreme cells are supposed adjacent. 

In this paper, only transition rules with fc = 3 will be considered. Thus, 
there are 2^ of such rules among which just two (rule 90 and rule 150) lead to 
non trivial machines. Such rules are described as follows : 



Rule 90 



$9o(a;*-i,a;*,x*+i) =a;*„i+; 



'i+l 



111 110 101 100 oil 010 001 000 
10 110 10 



Rule 150 

+ l) ~ ■^J-l ~^ ■^i "^ ■^i + 1 



*i5o(a;*-i> a;*, a;*+i) = x\_^ + x* + x. 



Ill 110 101 100 oil 010 001 000 
10 10 110 

Remark that the names rule 90 and rule 150 derive from the decimal values 
of their next-state functions: 01011010 (binary) = 90 (decimal) and 10010110 
(binary) = 150 (decimal). Indeed, a;*'*'^ the content of the i-th cell at time t+\ 
depends on the contents of either two different cells (rule 90) or three different 
cells (rule 150) at time t. The symbol -I- denotes addition modulo 2 among 
cell contents. Remark that both transition rules are linear. This work deals 
exclusively with one-dimensional linear null hybrid CA with rules 90 and 150. 
A natural way of specifying such CA is an L-tuple M — [Ri, R2, ■■■, Rl], called 



Table 1: An one-dimensional linear null hybrid cellular automaton of 10 cells 
with rules 90/150 starting at a given initial state 
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rule vector, where Ri = ii the i-th cell satisfies rule 90 while i?^ = 1 if the 
i-th cell satisfies rule 150. A sub-automaton of the previous automata class 
consisting of cells 1 through i will be denoted by RiR2---Ri. 

For a cellular automaton of length L = 10 cells, configuration rules ( i?i = 

0,i?2 = 1,^3 = 1,^4 = 17^5 = 0, i?6 = 0,-R7 = 1, J?8 = l,i?9 = l,i?lo = 0) 

and initial state (0, 0, 0, 1, 1, 1, 0, 1, 1, 0), Table fl] illustrates the formation of its 
output sequences (binary sequences read vertically) and the succession of states 
(binary configurations of 10 bits read horizontally). For the above mentioned 
rules, the different states of the automaton are grouped in closed cycles. The 
number of different output sequences for a particular cycle is < L as the same 
sequence (although shifted) may appear simultaneously in different cells. At 
the same time, all the sequences in a cycle will have the same period and linear 
complexity |17j . Moreover, any of the output sequence of the automaton can be 
produced at any cell provided that the right state cycle is chosen. 

On the other hand, linear finite state machines are currently represented and 
analyzed by means of their transition matrices. The form and characteristics of 
these matrices for the CA under consideration can be found in ^4 . In fact, such 
matrices are tri-diagonal matrices with the rule vector on the main diagonal, I's 
on the diagonals below and above the main one and all other entries being zero. 
Every automaton is completely specified by its characteristic polynomial, that 
is the characteristic polynomial of its transition matrix. Such a characteristic 
polynomial can be computed in terms of the characteristic polynomials of the 
previous sub-automata according to the recurrence relation ^: 

P,{x) = {x + Ri)P,^i{x) + P,^2{x), 0<i<L (2) 

being P_i(x) — and Pq{x) — 1. Next, the following definition is introduced: 



Definition 2.1 A Multiplicative-Polynomial Cellular Automaton is defined as 
a cellular automaton whose characteristic polynomial is a reducible polynomial 
of the form Pm (x) — {P{x))p where p is a positive integer. If P{x) is a primitive 
polynomial, then the automaton is called a Primitive Multiplicative-Polynomial 
Cellular Automaton. 

The class of binary sequence generators we are dealing with is described in the 
following subsections. 

2.2 The Shrinking Generator 

The shrinking generator is a binary sequence generator [5] composed by two 
LFSRs : a control register SRi that decimates the sequence produced by the 
other register S'i?2- We denote by Lj [j — 1, 2) their corresponding lengths with 
(I/i,L2) = 1 as well as ii < ^2- Then, we denote by Cj{x) G GF{2)[x] [j = 
1,2) their corresponding characteristic polynomials of degree Lj {j — 1,2), 
respectively. 

The sequence produced by SRi, denoted by {oi}, controls the bits of the se- 
quence produced by SR2, that is {bi\, which are included in the output sequence 
{zj} (the shrunken sequence), according to the following rule P: 

1. If Oi ~ 1 => Zj — bi 

2. If flj = =^ bi is discarded. 

A simple example illustrates the behavior of this structure. 
Example 2.2 Let us consider the following LFSRs: 

1. Register SRi of length Li = 3, characteristic polynomial Ci{x) = 1+x'^ + 
x^ and initial state I Si = (1,0,0). The PN-sequence generated by SRi is 
{1, 0, 0, 1, 1, 1, 0} with period Ti = 2^^ - 1 = 7. 

2. Register SR2 of length L2 = 4, characteristic polynomial C2{x) — l+x+x^ 
and initial state IS2 — (1,0,0,0). The PN-sequence generated by SR2 is 
{1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1} with period T2 = 2^^ - 1 = 15. 

The output sequence {zj} is given by: 

• {a,} ^1001110100111010011101 

• {bi} -^ 1000100110101111000100 

• {zj} ^1010110110010 

The underlined bits or f in {bi} are discarded. 



In brief, the sequence produced by the shrinking generator is an irregular 
decimation of {bi} from the bits of {ui}. According to [5], the period of the 
shrunken sequence is 

T = (2^^ - l)2('^i-^' (3) 

and its hncar complexity [5D], notated LC, satisfies the following inequality 

^^2(^1-2) <LC< La 2(^1^1). (4) 

A simple calculation, based on the fact that every state of SR2 coincides once 
with every state of SRi, allows one to compute the number of I's in the shrunken 
sequence. Such a number is constant and equal to 

No.l's = 2'^^'-^h'-^'-^\ (5) 

Comparing period and number of I's, it can be concluded that the shrunken 
sequence is a quasi-balanced sequence. 

In addition, it can be proved ;B^ that the output sequence has good distribu- 
tional statistics too. Therefore, this scheme is suitable for practical implemen- 
tation of stream ciphers and pattern generators. 

2.3 The Clock-Controlled Shrinking Generators 

The Clock-Controlled Shrinking Generators constitute a wide class of clock- 
controlled sequence generators |15j with applications in cryptography, error cor- 
recting codes and digital signature. An CCSG is a sequence generator com- 
posed of two LFSRs notated SRi and SR2. The parameters of both regis- 



ters are defined as those of subsection 2.2 At any time i, SRi (the control 



register) is clocked normally while the second register SR2 is clocked a num- 
ber of times given by an integer decimation function notated Xt- In fact, if 
Ao{t), Ai{t), . . . , Aij_i(i) are the binary cell contents of SRi at time t, then 
Xt is defined as 

Xt^l + 2°A,„(i) + 2^ A, (t) + . . . + 2^-^A^_,{t) (6) 

where io, ii, . . . , iw-i G {0, 1, . . . , ii — 1} and < w < Li — 1. 

In this way, the output sequence of an CCSG is obtained from a double 
decimation: 

1. The output sequence of SR2, {h}, is decimated by means of Xt giving 
rise to the sequence {b'^}. 



2. The same decimation rule P, defined in subsection 2.2 is applied to the 
sequence {b'^}. 

Remark that ii Xt = 1 (no cells are selected in SRi), then the proposed gener- 
ator is just the shrinking generator. Let us see a simple example of CCSG. 

Example 2.3 For the same LFSRs defined in the previous example and the 
function Xt — 1 + 2'^Ao{t) with w = 1, the decimated sequence {b[} is given by: 



• {bi} ^1000100110101111000100110101111 

• Xt -> 2 1 1 222 1 2 1 1 222 1 2 1 1 22 

• {b'^ ^10010110111010101011 

According to the decimation function Xt, the underlined bits or 1_ in {6^} are 
discarded in order to produce the sequence {b'^}. Then the output sequence {zj} 
of the CCSG is given by: 

• {a,} ^1001110100111010011101 

• Wi) -^ 10010110111010101011 

• {zj} ^110101011011 



The underlined bits or J_ in {b'^} are discarded. 

In brief, the sequence produced by an CCSG is an irregular double decima- 
tion of the sequence generated by SR2 from the function Xt and the bits of SRi . 
This construction allows one to generate a large family of different sequences by 
using the same LFSR initial states and characteristic polynomials but modifying 
the decimation function. Period, linear complexity and statistical properties of 
the generated sequences by CCSGs have been established in [TS] , 

2.4 Cattel and Muzio Synthesis Algorithm 

The Cattell and Muzio synthesis algorithm [5] presents a method of obtaining 
two CA (based on rules 90 and 150) corresponding to a given polynomial. Such 
an algorithm takes as input an irreducible polynomial Q{x) € GF{2)[x] defined 
over a finite field and computes two linear reversal CA whose output sequences 
have Q{x) as characteristic polynomial. Such CA are written as binary strings 
with the previous codification: = rule 90 and 1 — rule 150. The theoretical 
foundations of the algorithm can be found in [7] . The total number of operations 
required for this algorithm is listed in [F (Table II, page 334). It is shown that 
the number of operations grows linearly with the degree of the polynomial, so 
the method does not suffer from any sort of exponential blow-up. The method 
is efficient for all practical applications (e.g. in 1996 finding a pair of length 
300 CA took 16 CPU seconds on a SPARC 10 workstation). For cryptographic 
applications, the degree of the irreducible (primitive) polynomial is L2 ~ 64, so 
that the consuming time is negligible. 

Finally, a list of One-Dimensional Linear Hybrid Cellular Automata of De- 
gree Through 500 can be found in [S]. 



3 CA-Based Linear Models for the Shrinking 
Generator 

In this section, an algorithm to determine the pair of CA corresponding to 
a given shrinking generator is presented. Such an algorithm is based on the 
following results: 

Lemma 3.1 The characteristic polynomial of the shrunken sequence is of the 
form P{x)^ , where P{x) € GF{2)[x] is a L2-degree primitive polynomial and 
N is an integer satisfying the inequality 2^^'^~'^' < N < 2^^'^~^> . 

Proof: The shrunken sequence can be written as an interleaved sequence |12) 
made out of an unique PA'^-sequence starting at different points and repeated 
2(-'^i-i) times. Such a sequence is obtained from {bi} taking digits separated a 
distance 2^^ —1, that is the period of the sequence {oi}. As (2^=^ —1, 2^^ — 1) = 1 
due to the primality of L2 and Li, the result of the decimation of {bi} is a PN- 
sequence of primitive characteristic polynomial P{x) of degree L2. Moreover, the 
number of times that this PA'^-sequence is repeated coincides with the number of 
I's in {oi} since each 1 of {ui} provides the shrunken sequence with 2^^ — 1 digits 
of {bi}. Consequently, the characteristic polynomial of the shrunken sequence 
will be P{x)^ with TV < 2''^^~^\ The lower limit follows immediately from 
equation (H) that defines the linear recurrence relationship. D 

Lemma 3.2 LetC2{x) G GF{2)[x\ be the characteristic polynomial of SR2 and 
let X be a root of C2{x) in the extension field GF{2^^). Then, P{x) G GF{2)[x] 
is of the form 

P{x) ^{x + X^)ix + A^^) ...{x + A^"^"'^) (7) 

being E an integer given by 

E ^2° + 2^ + ... + 2^^-^ . (8) 

Proof: As the decimation of the sequence {bi} is realized taking one out of 2^^ — 
1 digits, the obtained PA^-sequence is nothing but the characteristic sequence 
associated to the cyclotomic coset E = 2^^ — 1, see [TT]. Hence, the roots 
of its characteristic polynomial will be A^, A^^, . . . , A^ ^ . According to the 
definition of cyclotomic coset, the value of E is given by equation ([S]). □ 

Remark that P{x) depends exclusively on the characteristic polynomial of 
the register SR2 and on the length Li of the register SRi. Based on the Cattell 
and Muzio synthesis algorithm '5], the following result is derived; 

Lemma 3.3 Let Q{x) £ GP(2)[a;] be a polynomial defined over a finite field 
and let Si and S2 two binary strings codifying the two linear CA obtained from 
the Cattell and Muzio algorithm. Then, the two CA in form of binary strings 
whose characteristic polynomial is Q{x)'^ are: 

S'^Si*S* i = l,2 



where Si is the binary string Si whose least significant bit has been complemented, 
S* is the mirror image of Si and the symbol * denotes concatenation. 

Proof: The result is just a generalization of the Cattell and Muzio synthesis 
algorithm. The concatenation is due to the fact that rule 90 (150) at the end of 
the array in null automata is equivalent to two consecutive rules 150 (90) with 
identical sequences. The fact of that an automaton and its reversal version have 
the same characteristic polynomial completes the proof. □ 

Proceeding in the same way a number of times, a multiplicative-polynomial 
cellular automaton |2.1| is obtained. In this way, the construction of a linear 
structure from the concatenation of a basic automaton is accomplished. 

According to the previous results, an algorithm to linearize the shrinking 
generator is introduced: 

Input: A shrinking generator characterized by two LFSRs, SRi and SR2, 
with their corresponding lengths, Li and L2, and the characteristic polynomial 
C2{x) of the register S'i?2- 

Step 1 From Li and 6*2(2;), compute the polynomial P{x) in GF{2^^) as 
P{x) = (x + A^)(x + A^^) . . . (x + A^"^"^) 

with £; = 2" + 21 + ... + 2^1-1. 

Step 2 From P{x), apply the Cattell and Muzio synthesis algorithm to deter- 
mine two linear CA (with rules 90 and 150), notated Si, whose character- 
istic polynomial is P{x). 

Step 3 For each Si separately, proceed: 

3.1 Complement its least significant bit. The resulting binary string is 
notated Si. 

3.2 Compute the mirror image of Si, notated S* , and concatenate both 
strings 

^i — ^i* ^i ■ 

3.3 Apply steps 3.1 and 3.2 to each S'^ recursively Li — I times. 

Output: Two binary strings of length L — L2 ■ 2^^^^ codifying two CA 
corresponding to the given shrinking generator. 

Remark 3.4 In this algorithm the characteristic polynomial of the register SRi 
is not needed. Thus, all the shrinking generators with the same SR2 but different 
registers SRi (all of them with the same length Li) can be modelled by the same 
pair of one- dimensional linear CA. 

Remark 3.5 tt can be noticed that the computation of both CA is proportional 
to Li concatenations. Consequently, the algorithm can be applied to shrinking 
generators in a range of practical application. 



Remark 3.6 In contrast to the nonlinearity of the shrinking generator, the 
CA-based models that generate the shrunken sequence are linear. 

In order to clarify the previous steps a simple numerical example is presented. 

Input: A shrinking generator characterized by two LFSRs SRi of length 
Li = 3 and SR2 of length L2 = 5 and characteristic polynomial C2{x) = 
l + x + x^+x^+x^. 

step 1 P{x) is the characteristic polynomial of the cyclotomic coset E = 7. 
Thus, 

P{x) = l + x^ +x^ . 

Step 2 From P{x) and applying the Cattell and Muzio synthesis algorithm, 
two reversal linear CA whose characteristic polynomial is P{x) can be 
determined. Such CA are written in binary format as: 

1111 
11110 

Step 3 Computation of the required pair of CA. 
For the first automaton: 

1111 

1110 1110 

01110011111111001110 

For the second automaton: 

11110 

1111111111 

1111111110 111111111 

For each automaton, the procedure of concatenation has been carried out 
Li ^ 1 times. 

Output: Two binary strings of length L = L2 ■ 2'-^^^^^ = 20 codifying the 
required pair of CA. 

In this way, we have obtained a pair of linear CA able to generate the 
shrunken sequence corresponding to the given shrinking generator. In addition, 
for each one of the previous automata there is one state cycle where the shrunken 
sequence is generated at each one of the cells. 
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4 CA-Based Linear Models for the Clock- Controlled 
Shrinking Generators 

In this section, an algorithm to determine the pair of one-dimensional linear CA 
corresponding to a given CCSG is presented. Such an algorithm is based on the 
following results: 

Lemma 4.1 The characteristic polynomial of the output sequence of a CCSG is 
of the form P' [x)^ , where P'{x) G GF{2)[x\ is a primitive L2-degree polynomial 
and N is an integer satisfying the inequality 2^^'^~'^' < N < 2^^'^"^' . 



Proof: The proof is analogous to that one developed in lemma |3.1[ □ 

Remark that, according to the structure of the CCSGs, the polynomial P'{x) 
depends on the characteristic polynomial of the register SR2, the length Li of 
the register SRi and the decimation function Xt- Before, P{x) was the charac- 
teristic polynomial of the cyclotomic coset E, where E = 2^ + 2^ + . . . + 2^^"^ 
was a fixed separation distance between the digits drawn from the sequence {bi}. 
Now, this distance D is variable as well as a function of Xt . The computation 
of D gives rise to the following result: 

Lemma 4.2 Let C'2{x) G GF{2)[x] be the characteristic polynomial of SR2 and 
let Xbe a root of C2{x) in the extension field GF(2^^). Then, P'{x) G GF{2)[x] 
is the characteristic polynomial of cyclotomic coset D, where D is given by 

2™ 
D = 2^1-"" (^ i) - 1 = (1 + 2^") 2^1-1 - 1. (9) 



Proof: The proof is analogous to that one developed in lemma [3^2] In fact, 
the distance D can be computed taking into account that the function Xt takes 
values in the interval [1, 2, . . . , 2™] and the number of times that each one of 
these values appears in a period of the output sequence is given by 2^1"™. A 
simple computation, based on the sum of the terms of an arithmetic progression, 
completes the proof. D 

From the previous results, it can be noticed that the algorithm that deter- 
mines the pair of CA corresponding to a given CCSG is analogous to that one 
developed in section p] Indeed, the expression of E in equation ([8]) must be 
replaced by the expression of D in equation ^ . 

In order to clarify the previous steps a simple numerical example is presented. 

Input: A CCSG characterized by: Two LFSRs SRi of length Li = 3 and 
SR2 of length L2 = 5 and characteristic polynomial C2 {x) = \ -\- x + x"^ + x'^ ~\- x^ 
plus the decimation function ATj = l-f 2°Ao(t) -I- 2^Ai{t) + 2^712 (t) with w = 3. 

Step 1 P'{x) is the characteristic polynomial of the cyclotomic coset D. Now 
D = A mod 31, that is we are dealing with the cyclotomic coset 1. Thus, 
the corresponding characteristic polynomial is: 

P'{x) = l + x + x'^ +x^ + x^ . 
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step 2 From P'{x) and applying the Cattell and Muzio synthesis algorithm, 
two reversal linear CA whose characteristic polynomial is P'{x) can be 
determined. Such CA are written in binary format as; 

10 
1 

Step 3 Computation of the required pair of CA. 
For the first automaton: 

10 

10 110 1 

10001100000000110001 

For the second automaton: 

1 

0000000000 

00000000011000000000 

For each automaton, the procedure of concatenation has been carried out 
Li — 1 times. 

Output: Two binary strings of length L — 2Q codifying the required CA. 

Remark 4.3 From a point of view of the CA-based linear models, the shrinking 
generator or any one of the CCGS are entirely analogous. Thus, the fact of 
introduce an additional decimation function does neither increase the complexity 
of the generator nor improve its resistance against cryptanalytic attacks. Indeed, 
both kinds of generators can be linearized by the same class of CA-based models. 

5 A Cryptanalytic Approach to this Class of Se- 
quence Generators 

Since CA-based linear models describing the behavior of CCSGs have been de- 
rived, a cryptanalytic attack that exploits the weaknesses of these models has 
been also developed. It consists in determining the initial states of both regis- 
ters SRi and SR2 from an amount of CCSG output sequence (the intercepted 
sequence). In this way, the rest of the output sequence can be reconstructed. 
For the sake of simplicity, the attack will be illustrated for the shrinking gener- 
ator although the process can be extended to any CCSG. The proposed attack 
is divided into two different phases: 

Phase 1 From bits of the intercepted sequence and using the CA-based linear 
models, additional bits of the shrunken sequence can be reconstructed. 
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Phase 2 Due to the intrinsic characteristics of this class of generators, a crypt- 
analytic attack can be mounted in order to determine the initial states 
of the LFSRs. The attack makes use of both intercepted bits as well as 
reconstructed bits. 

Both phases will be considered separately. 

5.1 Reconstruction of output sequence bits 

Given r bits of the shrunken sequence zqj ^ij •Z2, •■•, Zr-i , we can assume with- 
out loss of generality that this sub-sequence has been generated at the most 
left extreme cell of any of its corresponding CA. That is x\ — zq, x*i^^ = 
Zi, ..., x*{'''^~ = Zr-i- From r bits of the shrunken sequence, it is always pos- 
sible to reconstruct r — 1 sub-sequences {x*} of lengths r — i + 1 at the i-th cell 
of each automaton such as follows: 



X 



<l>.,^,{xU„xU,xlti) il<^<r), (10) 

where <&i_i corresponds to either rule 90 or 150 depending on the value of Ri-i- 



From r intercepted bits, the application of equation ( 10 ) gives rise to a total of 
(r-t-(r— l)-f... -1-2-1-1) bits that constitute the first chained sub-triangle notated 
Al, see Table^ Now, if any sub-sequence {x*} is placed at the most left extreme 
cell, then r — 2i + 2 bits are obtained at the i-th cell in the second chained sub- 
triangle notated A2. Repeating recursively n times the same procedure, r—ni+n 
bits are obtained at the i-th cell in the n-th chained sub-triangle notated An. 
Table |2] shows the succession of 4 chained sub-triangles constructed from r = 10 
bits of the shrunken sequence {z^} — {0,0,1,1,1,0,1,0,1,1} and first rules 
i?i = i?2 = 0. In fact, the 10 initial bits generate 8 bits at the third cell in 
Al. These 8 bits are placed at the most left extreme cell producing 6 new bits 
at cell 3 in A2. With these 6 bits, we get 4 additional bits in A3. Finally, 
2 new bits are obtained at cell 3 in the sub-triangle A4. Since rules 90 and 
150 are additive, the generated sub-sequences will be sum of elements of the 
shrunken sequence. General expressions can be deduced for the elements of any 
sub-sequence in any chained sub-triangle. In fact, the i-th sub-sequence in the 
n-th chained sub-triangle includes the bits Zj corresponding to the exponents of 
{Pi-i{x))" where Pi^i{x) is the characteristic polynomial of the sub-automaton 
i?ii?2----Ri-i, see equation (pi). More precisely, for the previous example the 
characteristic polynomial of the sub-automaton R1R2 is P2{x) = x^ -f 1. Then 
(P2(x))2 = x^ + 1, (P2(:e))^ ^x'^ + x'^ + x^ + l, {P2{x)Y = x8 + 1, . . . Hence, 
x\ in the different sub-triangles will take the form: 

a;| = zo + Z2 in Al 

X3 = zo + Zi in A2 

x\ — zq + Z2 + Z4^ -\- zq in A3 

x\ — zq -[- zg in A4 . . . 

For the successive bits ccg^^, Xg^^, ... it suffices to add 1 to the previous subindexes. 
Table [3] shows the general expressions of the sub-sequence elements in Al and 
A2 for the example under consideration. 
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Table 2: Reconstruction of 4 chained sub-triangles from 10 bits of the shrunken 
sequence 

Al : i?i i?2 i?3 • • • A2 : Ri R2 R3 ... 

i TT 

1 1 

1 1 
1 1 1 
1 

1 

1 

1 1 

1 1 
1 

A3 : i?^[ R2 R3 ~. AT: Ri Ih R~3 

1 1 T^ 1 1 r 

1 10 1 

10 

10 

1 
1 



1 


1 


1 


1 











1 





1 





1 

















1 





1 




1 
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Table 3: General expressions for different sub-sequences in Al and A2 with 
Ri = i?2 = 



Al 



-Rl i?2 



i?3 



A2 



i?i 



R2 



i?3 



zo 


Z\ 


ZQ + Z2 


Zl 


Z2 


Zl +Z3 


Z2 


zz 


Z2 + Z4 


Z3 


Zi 


Z3 + Z5 


Z4. 


Zb 


Z4 + Zq 


Zb 


ze 


Z5 + Zr 


zq 


zr 


z& + Zg, 


z-j 


Zi 


zr + zg 


z% 


zq 




Zoi 







+ 22 


21 +23 


20+2:4 


+ 23 


22 + 24 


2l +25 


+ 2:4 


23 + 25 


22 + 26 


+ 2:5 


24 + 26 


23 + Z7 


+ 26 


25 + 27 


24 + 28 


+ 27 


26 + 28 


25 + 29 


+ 28 


27 + 29 





27 + 29 



On the other hand, Lemmas (3.1) and (3.2) show us that the shrunken 
sequence is the interleaving of 2^^^^"^^ different shifts of an unique FA^-sequence 
of length 2^^ — 1 whose characteristic polynomial P{x) is given by equation 
([7|). Consequently, the elements of the shrunken sequence indexed Zdi, with 
i e {0, 1, . . . , 2-^2 - 2} and d = 2^^^-^\ belong to the same PiV-sequence. Thus, 
if the element x\ of the i-th sub-sequence in the n-th chained sub-triangle takes 
the general form: 

x\ = Zk^ + Zk^+ . 



Zki 



with 



ki — mod 2 



(ii 



a-1, 



,J) 



(11) 



(12) 



then cc* can be rewritten as 



with Zk^ satisfying equation ( 12 1 



i=Zk^, 

Therefore, {a;*}, 



(13) 
the i-th sub-sequence in 



the n-th chained sub-triangle, is just a sub-sequence of the shrunken sequence 
shifted a distance S from the r bits of the intercepted sequence. The value of 
6 depends on the extension field GF{2^^) generated by the roots of P{x). In 
brief, the chained sub-triangles enable us to reconstruct additional bits of the 
shrunken sequence from bits of the intercepted sequence. 

The number of reconstructed bits depends on the amount of intercepted bits. 
Indeed, if we know TV; bits in each one of the PiV-sequence shifts, then the total 
number of reconstructed bits is given by: 



2(^1-1) Ni 

E E 

1=1 k=2 



(14) 



The required amount of intercepted sequence is 2^^ ^ that is exponential in the 
length of the shorter register SRi . Remark that in this reconstruction process 
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both reconstructed bits as well as their positions on the shrunken sequence are 
known with absolute certainty. 

5.2 Reconstruction of LFSR Initial States 

We denote by I Si = (ao, ai, 02, . . . , ql-i^i) the initial state of SRi and by IS2 = 
(60, 61, 62, • ■ • , &L2-1) the initial state of SR2. In order to avoid ambiguities on 
the initial states, it is assumed that oq = 1, thus the first element of the shrunken 
sequence is zq = Bq. In this way, the goal of this attack is to determine the sub- 
vectors (fli, 02, ... , aij^_i) as well as (61, b2, ■ ■ ■ , 6^2-1). 

According to equation ([3|, the period of the shrunken sequence is T = {2^^ — 
1) 2^^^^^', so that such a sequence can be written as an (2-^^ — 1) x (2(^i~^)) 
matrix whose elements are the bits of the shrunken sequence. Its columns 
are denoted by Ci, C2, . . . , C2(i:.i-i), respectively. Each column of the matrix 
is the FA^-sequence above referenced starting at different points. In addition, 
the first column C'l corresponds to the decimation of the sequence {bi} from 
iS'i?2 by a factor {2^'^ — 1) fTT]. Thus, we can compute the position of the bits 
61,62, . . . ,6^2-1 on such a column. Indeed, the i-th bit, bi, is at the ji — th 
position of Ci where ji is solution of the equation: 

j, {2^^ ~ 1) = i mod 2^^ - 1 {i^l,...,L2-l). (15) 

Moreover, the bits of ISi determine the initial bits of the subsequent columns 
Ci such as follows: 

Hypothesis 1 If the first bits of ISi are (ao = l,ai = 1), then C2 will start 



at the j'l — th position of Ci given by equation (151 



Hypothesis 2 If the first bits of ISi are (ag = 1, Oi = 0, 02 = 1), then C2 will 



start at the J2 — th position of Ci given by equation ( 15 ) 



Hypothesis n If the first bits oi ISi are (oq = 1, ai = 0, . . . , a„_i = 0, a,i = 1), 



then C2 will start at the j„ — th position of Ci given by equation ( 15 ) 



We can formulate different hypothesis covering the first bits of ISi as well 
as each new hypothesis determines the initial bit of the following column. As 
we have intercepted and reconstructed bits in the columns Ci, we can check 
the previous hypothesis until getting a contradiction. In that case, all the ISi 
starting with the wrong configuration must be rejected. The search continues 
through the configurations of ai free of contradiction by formulating new hy- 
pothesis. In brief, the attacker has not to traverse an entire search tree including 
all the initial states of SRi, but the search is concentrated exclusively on the 
configurations not exhibiting contradiction with regard to the available bits. In 
this sense, the proposed attack reduces considerably the exhaustive search over 
the initial states of SRi as many contradictions occur at the first levels of the 
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tree. On the other hand, the bits of the register SR2 are easily determined as 
the starting bits of C2, C3, C4, . . . in each one of the non-rejected branches. An 
illustrative example of Phases 1 and 2 is presented in the next subsection. 

5.3 An Illustrative Example 

Let us consider a shrinking generator with the following parameters: Li = 4, 
L2 = 5, Ci{x) = 1 + x^ + x"^ and C2{x) = 1 + x + x^ + x'^ + x'^. According 
to equation ([7|, we can compute the polynomial P{x) = 1 + x + x^ + x^ + x^ 
while the two basic automata 10 and 1 are obtained from 
the algorithm of Cattell and Muzio. The corresponding CA of length L = 
40 are computed via the algorithm developed in section 3. Indeed, they are 
CAi = 0060110600 and CA2 = 8C0300C031 in hexadecimal notation. In ad- 
dition, let a be a root of P{x) that is a^ = a^ + a^ + a + 1 as well as a 
generator element of the extension field GF{2^^). The period of the shrunken 
sequence is T = {2^^ - 1) • 2^^^~'^^ = 248 and the number of interleaved PN- 
sequences is 2(^1^^) — 8. Finally, the intercepted sequence of length r = 24 is: 
{zo,zi,...,z23} ={1,0,1,0,0,0,0,1,1,0,0,1,1,1,0,0,1,1,0,1,0,0,1,1}. With 
the previous premises, we accomplish Phases 1 and 2. 
Phase 1: 

For CAi The chained sub-triangles provide the following reconstructed bits. 
For i = 3, sub- automaton R1R2 and P2{x) =2:^ + 1. 

• In A4, x\ = 20 + ^8, x^s' ~ zi + zg, ... , x*^ = Z15 + 223- Consid- 
ering zq , zg as the first and second element of the PA'^-sequence and 
keeping in mind that in GF{2^^) the equality 1 + a = a^^ holds, we 
get xl = Z19.8 = Zi52, 4"^^ = 2153, . . . ,4+^^ = zi67- Thus, 16 new 
bits of the shrunken sequence have been reconstructed at positions 
152, 153,..., 167. 

• In A8, xl ^ zq + zie, xl'^^ = zi + ^17, . . . ,2^3"^^ ^ zj + Z23. As 

1 + a^ = Q,7^ .^^g gg^ 2,t ^ ^^^ ^ 2:50, a;*+^ = Z57, . . . ,X3+'^ = Z63. 

Thus, 8 new bits of the shrunken sequence have been reconstructed 
at positions 56, 57, . . . , 63. 

For CA2 The chained sub-triangles provide the following reconstructed bits. 
For i = 3, sub-automaton R1R2 and ^2(2^) = x'^ + x + 1. 

• In A8, x^ = zq + zs + zie, xl'^^ = zi + zg + zn, . . . , xl'^'^ — z^ + 
Z15 + Z23- As 1 + a + a^ = a^^, we get x| = Z23.8 = ^184, 2:3^^ = 
2i85, . . . ,x*^ = 2191. Thus, 8 new bits of the shrunken sequence 
have been reconstructed at positions 184, 185, . . . , 191. 

After Phase 1, the known bits of the shrunken sequence are depicted in Table |4j 
Rows 0,1,2 correspond to intercepted bits while rows 7, 19, 20 and 23 correspond 
to reconstructed bits. The symbol — represents the unknown bits. In brief, from 
24 intercepted bits a total of 32 bits have been reconstructed. 
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Phase2: According to equation (15 1, the bits 6i,&2,&3,&4 are placed at 



positions 29, 27, 25, 23 of column Ci, respectively (see the first column of Table 
|4|. On the other hand, Table 5 shows the sequences corresponding to the 
following hypothesis. 

Hypothesis 1 If the first bits of /5i are (oq — l,ai = 1), then C2 will start 
at the 29*'' position of Ci given rise to the column Hi. In row 2, Hi 
and C2 have a common bit without contradiction. The union of both 
sequences allows us to construct C2 the second column of the matrix for 
this hypothesis. A total of 13 bits arc then known in €2- 

Hypothesis 2 If the first bits of ISi are (ag = 1, oi = 0, 02 = 1), then C2 will 
start at the 27*'' position of Ci given rise to the column H2- In row 23, 
H2 and C'2 have a common bit with contradiction (starred bits). Thus, 
the initial states of SRi starting with bits 101 must be rejected. 

Hypothesis 3 If the first bits of ISi are (oq = l,ai — 0, a2 = 0, 03 = 1), then 
C2 will start at the 25*'' position of Ci given rise to the column H^. In 
row 7, H3 and C2 have a common bit without contradiction. The union of 
both sequences allows us to construct Cf the second column of the matrix 
for this hypothesis. A total of 13 bits are then known in C2- 

Hypothesis 4 If the first bits of ISi are (ag = 1, Oi = 0, 02 = 0, 03 = 0, 04 = 
1), then C2 will start at the 23*'' position of Ci given rise to the column 
Hi. In row 0, H2 and C2 have a common bit with contradiction (starred 
bits). Thus, the initial state of SRi 1000 must be rejected. 

On the hypothesis free of contradiction, we can formulate other ones depicted 
in Table i] 

Hypothesis 5 If the first bits of ISi are (ap — l,ai — 1, a2 — 1), then C3 will 
start at the 27*'' position of Ci given rise to the column H^. In row 23, 
iJs and C3 have a common bit with contradiction (starred bits). Thus, 
the initial states of SRi starting with bits 111 must be rejected. 

Hypothesis 6 If the first bits of ISi are (ag = l,ai — 1, 02 = 0, 03 = 0, 04 = 
1), then C3 will start at the 23*'' position of Ci given rise to the column 
Hq. Bits 24 and 25 of Ci have been deduced from Cj in Hypothesis 1. In 
row 2, Hq and Cg have a common bit with contradiction (starred bits). 
Thus, the initial state of SRi 1100 must be rejected. 

From Hypothesis 5 and 6, Hypothesis 1 must be rejected. Remark that the 
configuration (ag = l,ai = 0,02 =0,03 = 1) in Hypothesis 3 is the only one 
free of contradiction. See the search tree in figure [Tl Thus, it corresponds to the 
actual initial state of SRi . The successive bits of SRi , that is the FA^-sequence 
{1, 0, 0, 1, 0, 0, 0,1,.. .}, are checked by the successive columns C4, C5, . . . , Cs of 
the shrunken sequence. Concerning the initial state of SR2, in Table p^ (column 
Solution) we can see that bits 64,63,62 can be obtained from the known bits of 
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contradiction 



contradiction 



Figure 1: Search tree for the initial sates of SRi 



Ci in rows 23, 25 and 27 respectively. In fact, 64 = 1, 63 = 0, 62 — 1- The bit 61 
in row 29 satisfies the equality 

61 = Z29.8 = 21.8 + Z2.8 + Z4.S, (16) 

as a + a^+Q* = a^^ in the extension field GF{2^^). We know that Z8 = 1, zig = 
1 while Z32 can be easily deduced from the equality Z14.8 — ^1.8 + 24.8 as 1 + a^ = 
a^^. Thus, 2:32 = 1 + 1 = and substituting in 61 we get 61 = 1 + 1 + = 0. 

The final issues of Phases 1 and 2 are the initial states of both LFSRs 
ISi = (ao,ai,...,a3) = (1,0,0,1) and IS2 = (60, &i, • • • , ^4) = (1,0,1,0,1). 
From the knowledge of both initial states the whole shrunken sequence can be 
reconstructed. 

5.4 Computational Features of the Attack 

The computational complexity of the previous cryptanalytic attack can be con- 
sidered in two different phases: off-line and on-line complexity. 

Off-line computational complexity: This phase is to be executed before in- 
tercepting sequence. It includes: 

• Computation of the characteristic polynomials Pi (x) of the sub-automata 
R1R2 ■ . ■ Ri (1 < i < Z) by means of equation ^ where / is related to 
the amount of intercepted sequence {I ■ 2^^"^ ^ r). This computation is 
necessary in order to obtain general expressions for the elements of the 
chained sub-triangles in the reconstruction procedure. 

• Computation of the positions of the bits &i (« = 1, 2, . . . , L2 — 1) on Ci the 



first column of the shrunken sequence matrix by means of equation (15). 
This computation is necessary in order to determine the bits of the initial 
state of SR2. 
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• Computation of different elements of the extension field GF{2^^) such as 
1 + a, l + a^,...,l + a^' and linear combinations of them by means of the 
Zech log table method [1] for arithmetic over GF{2™-). This computation 
is necessary in order to determine the distance between the intercepted 
sequence and the portions of reconstructed shrunken sequence. 

On-line computational complexity: This phase is to be executed after in- 
tercepting sequence. According to the previous subsections, the computational 
method consists in the comparison of series of bits coming from formulated hy- 
pothesis and from intercepted/reconstructed bits. The comparison is realized by 
means of bit-wise logical operations so the computational complexity is rather 
low. Occasionally, the computation of the any element of GF{2^'^) must be re- 
alized in order to determine additional elements of the PA^-sequences. The most 
consuming time of this cryptanalytic attack is the search over the 2^^^^ possible 
initial states of SRx (supposed ao — 1). Due to contradictions found in the first 
levels of the search tree, the exhaustive search can be dramatically improved. 
On average, we can say that in the worst case the search can be reduced to 
the half, so that the computational complexity of this attack is 0(2^^"^). In 
addition, several considerations must be kept in mind: 

1. The improved exhaustive search is carried out over the state space of the 
shorter register SRi. 

2. Every checking of hypothesis is realized only over the V s of the configu- 
ration under consideration, then the procedure speeds for configurations 
with a low number of Vs. 

Finally, comparing the proposed attack with those ones found in the liter- 
ature we get that all of them are exponential in the lengths of the registers. 
In particular, the complexity of the divide-and-conquer attack proposed in [22] 
is 0{2^^). The probabilistic correlation attack described in [T^ has a com- 
putational complexity of 0(^2 • 2^^). Also the probabilistic correlation attack 
introduced in |14| is exponential in L2. In this work a deterministic attack 
has been proposed that improves the complexity of the previous cryptanalytic 
approaches. 

6 Conclusions 

A wide family of LFSR- based sequence generators, the so- called Clock Con- 
trolled Shrinking Generators, has been analyzed and identified with a subset 
of linear cellular automata. In this way, sequence generators conceived and 
designed as complex nonlinear models can be written in terms of simple lin- 
ear models. An easy algorithm to compute the pair of one- dimensional linear 
hybrid cellular automata that generate the CCSG output sequences has been 
derived. In addition, a cryptanalytic attack that reconstructs the output se- 
quence of such generators has been proposed too. The procedure is based on 
the linearity of these CA-based models as well as on the characteristics of this 
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class of generators. The cryptanalytic approach is deterministic and improves 
an exhaustive search over the states of the shorter register. Computing the 
initial state of the longer register is a direct consequence of the previous step. 
From the obtained results, we can create linear cellular automata- based models 
to analyze/cryptanalyze the class of clock- controlled generators. 
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Table 4: The shrunken sequence produced by the shrinking generator described 



in subsection 5.3. 
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Table 5: Different hypothesis formulated on the bits of SRi 
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Table 6: Different hypothesis formulated on the bits of SRi 
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